Privacy Policy
How Zephyr AFK collects, uses, and protects your personal data in accordance with the GDPR, UK GDPR, and UAE PDPL.
Last Updated: July 2026
1. Introduction
This Privacy Policy explains how ZEPHYR AFK MARKETING & CONSULTING - FZCO (License No. 86388, Dubai Integrated Economic Zones), collects, uses, discloses, and protects personal data when you visit our website, contact us, or use our services. We are committed to processing personal data in accordance with the EU GDPR, the UK GDPR, and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). We act as Data Controller for our own website and operations; where we process personal data on behalf of clients in the course of delivering marketing services, we act as a Data Processor and the client's privacy policy applies.
2. Contact Details
For all privacy-related enquiries, requests, or complaints, contact us at: ZEPHYR AFK MARKETING & CONSULTING - FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE. Email: info@zephyrafk.com. As we are established outside the EU, where required by Article 27 GDPR we will appoint an EU representative and update this Policy accordingly.
3. Personal Data We Collect
Data you provide directly: contact and identity data (name, email, phone, company, job title); business and contractual data (billing details, proposals, contracts); communications data (emails, forms, video calls); and marketing preferences. Data collected automatically: technical data (IP address, browser, device, OS); usage data (pages viewed, session duration, clicks); and cookie data. We also receive data from third parties such as social media platforms and analytics providers. We do not collect special category data or children's data (under 16).
4. Purposes and Legal Bases
We process personal data only where a valid legal basis exists under Article 6 GDPR: performance of a contract (responding to enquiries, delivering services, managing client relationships); legal obligation (invoicing, accounting, regulatory compliance); consent (newsletters, direct marketing, analytics and advertising cookies); and legitimate interests (website security, fraud prevention, legal claims). Where we rely on legitimate interests, we have balanced our interests against your rights. You may object to such processing at any time.
5. How We Share Personal Data
We do not sell personal data. We may share it with: service providers (hosting, CRM, analytics, email, payment processing, AI tooling) acting on our instructions under Article 28 GDPR data processing agreements; advertising and social media platforms (Meta, Google, TikTok, LinkedIn) where you have consented; professional advisers (lawyers, accountants, auditors); public authorities where required by law; and business transferees in connection with a merger or acquisition, subject to appropriate safeguards.
6. International Transfers
We are based in the UAE. If you are in the EEA or UK, your personal data will be transferred outside those territories when you interact with us. Where such transfers are subject to the GDPR, we implement the European Commission's Standard Contractual Clauses (SCCs) with our processors and partners, supplemented where necessary by additional technical and organisational measures. You may request a copy of the relevant safeguards by contacting us at info@zephyrafk.com.
7. Your Rights
Subject to applicable law, you have: the right of access (Art. 15 GDPR); rectification (Art. 16); erasure (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); the right to object (Art. 21) — including at any time to direct marketing; withdrawal of consent at any time (Art. 7(3)); and the right not to be subject to solely automated decision-making (Art. 22). Contact us at info@zephyrafk.com to exercise any right. We respond within one month. You also have the right to lodge a complaint with a supervisory authority, including the ICO (UK) or your local EU data protection authority.
8. Data Retention
We retain personal data only as long as necessary: enquiry data — up to 24 months from last contact; client and contractual data — duration of relationship plus up to 10 years (statutory limitation and UAE accounting obligations); marketing data — until you withdraw consent or after 24 months of inactivity; website analytics — up to 26 months; legal claims data — for the duration of proceedings and applicable limitation periods. On expiry, data is securely deleted or irreversibly anonymised.
9. Cookies and Similar Technologies
We use: strictly necessary cookies (required for site function, no consent needed); analytics cookies (to measure and improve performance, placed only with consent); and marketing/advertising cookies (including Meta, Google, TikTok, and LinkedIn pixels for retargeting, placed only with consent). On your first visit, our cookie banner allows you to accept, refuse, or customise non-essential cookies. You may change or withdraw your choices at any time via cookie settings or your browser. Refusing cookies does not prevent access to the website but may limit certain features.
10. Our Role as Data Processor
When delivering marketing management, social media, AI automation, or performance media services, we may process personal data (customer lists, lead data, audience data, CRM records) on behalf of our clients, who act as Data Controllers. Such processing is governed by a Data Processing Agreement (DPA) under Article 28 GDPR. We process such data only on the client's documented instructions, apply appropriate security measures, assist with data subject requests, and delete or return the data at the end of the engagement. If you believe your data is being processed by us on behalf of a client, please contact that client directly.
11. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction — including encryption in transit, access controls, least-privilege permissions, and staff confidentiality obligations. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required by Article 33 GDPR, and notify affected individuals in accordance with Article 34 GDPR where the risk is high.
12. Third-Party Links
Our website may contain links to third-party websites, platforms, and services. We are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted on our website with a revised Last Updated date. Material changes will be communicated where required by law. Your continued use of our website or services after changes take effect constitutes acknowledgement of the updated Policy.
14. Contact Us
For any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact: ZEPHYR AFK MARKETING & CONSULTING - FZCO, License No. 86388, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates. Email: info@zephyrafk.com.
For all privacy-related enquiries, requests, or complaints, contact us at: ZEPHYR AFK MARKETING & CONSULTING - FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE. Email: info@zephyrafk.com. As we are established outside the EU, where required by Article 27 GDPR we will appoint an EU representative and update this Policy accordingly. info@zephyrafk.com